Also I am a little confused if I CAN’T use permissions, why can I use roles? And when I use roles, why are only the permissions included in the access token?
This is basically forcing me to use one for the UI and one for the BE. This seems to add some confusion to my app and it would be easier to just use one or the other. So I am a bit confused on the security difference if the permissions are listed in the JWT access token and anyone can decrypt that to infer the permissions.